<a href='https://github.com/angular/angular.js/edit/v1.6.x/src/ng/sce.js?message=docs($sceDelegateProvider)%3A%20describe%20your%20change...#L122' class='improve-docs btn btn-primary'><i class="glyphicon glyphicon-edit">&nbsp;</i>Improve this Doc</a>



<a href='https://github.com/angular/angular.js/tree/v1.6.6/src/ng/sce.js#L122' class='view-source pull-right btn btn-primary'>
  <i class="glyphicon glyphicon-zoom-in">&nbsp;</i>View Source
</a>


<header class="api-profile-header">
  <h1 class="api-profile-header-heading">$sceDelegateProvider</h1>
  <ol class="api-profile-header-structure naked-list step-list">
    
  <li>
    <a href="api/ng/service/$sceDelegate">- $sceDelegate</a>
  </li>

    <li>
      - provider in module <a href="api/ng">ng</a>
    </li>
  </ol>
</header>





<div class="api-profile-description">
  <p>The <code>$sceDelegateProvider</code> provider allows developers to configure the <a href="api/ng/service/$sceDelegate">$sceDelegate service</a>, used as a delegate for <a href="api/ng/service/$sce">Strict Contextual Escaping (SCE)</a>.</p>
<p>The <code>$sceDelegateProvider</code> allows one to get/set the whitelists and blacklists used to ensure
that the URLs used for sourcing AngularJS templates and other script-running URLs are safe (all
places that use the <code>$sce.RESOURCE_URL</code> context). See
<a href="api/ng/provider/$sceDelegateProvider#resourceUrlWhitelist">$sceDelegateProvider.resourceUrlWhitelist</a>
and
<a href="api/ng/provider/$sceDelegateProvider#resourceUrlBlacklist">$sceDelegateProvider.resourceUrlBlacklist</a>,</p>
<p>For the general details about this service in Angular, read the main page for <a href="api/ng/service/$sce">Strict Contextual Escaping (SCE)</a>.</p>
<p><strong>Example</strong>:  Consider the following case. <a name="example"></a></p>
<ul>
<li>your app is hosted at url <code>http://myapp.example.com/</code></li>
<li>but some of your templates are hosted on other domains you control such as
<code>http://srv01.assets.example.com/</code>, <code>http://srv02.assets.example.com/</code>, etc.</li>
<li>and you have an open redirect at <code>http://myapp.example.com/clickThru?...</code>.</li>
</ul>
<p>Here is what a secure configuration for this scenario might look like:</p>
<pre><code>angular.module(&#39;myApp&#39;, []).config(function($sceDelegateProvider) {
  $sceDelegateProvider.resourceUrlWhitelist([
    // Allow same origin resource loads.
    &#39;self&#39;,
    // Allow loading from our assets domain.  Notice the difference between * and **.
    &#39;http://srv*.assets.example.com/**&#39;
  ]);

  // The blacklist overrides the whitelist so the open redirect here is blocked.
  $sceDelegateProvider.resourceUrlBlacklist([
    &#39;http://myapp.example.com/clickThru**&#39;
  ]);
});
</code></pre>
<p>Note that an empty whitelist will block every resource URL from being loaded, and will require
you to manually mark each one as trusted with <code>$sce.trustAsResourceUrl</code>. However, templates
requested by <a href="api/ng/service/$templateRequest">$templateRequest</a> that are present in
<a href="api/ng/service/$templateCache">$templateCache</a> will not go through this check. If you have a mechanism
to populate your templates in that cache at config time, then it is a good idea to remove &#39;self&#39;
from that whitelist. This helps to mitigate the security impact of certain types of issues, like
for instance attacker-controlled <code>ng-includes</code>.</p>

</div>




<div>
  

  

  

  
<h2>Methods</h2>
<ul class="methods">
  <li id="resourceUrlWhitelist">
    <h3><p><code>resourceUrlWhitelist([whitelist]);</code></p>

</h3>
    <div><p>Sets/Gets the whitelist of trusted resource URLs.</p>
<p>The <strong>default value</strong> when no whitelist has been explicitly set is <code>[&#39;self&#39;]</code> allowing only
same origin resource requests.</p>
<div class="alert alert-warning">
<strong>Note:</strong> the default whitelist of &#39;self&#39; is not recommended if your app shares its origin
with other apps! It is a good idea to limit it to only your application&#39;s directory.
</div></div>

    

    
    <h4>Parameters</h4>
    
<table class="variables-matrix input-arguments">
  <thead>
    <tr>
      <th>Param</th>
      <th>Type</th>
      <th>Details</th>
    </tr>
  </thead>
  <tbody>
    
    <tr>
      <td>
        whitelist
        
        <div><em>(optional)</em></div>
      </td>
      <td>
        <a href="" class="label type-hint type-hint-array">Array</a>
      </td>
      <td>
        <p>When provided, replaces the resourceUrlWhitelist with the value
    provided.  This must be an array or null.  A snapshot of this array is used so further
    changes to the array are ignored.
    Follow <a href="api/ng/service/$sce#resourceUrlPatternItem">this link</a> for a description of the items
    allowed in this array.</p>

        
      </td>
    </tr>
    
  </tbody>
</table>

    

    

    
    <h4>Returns</h4>
    <table class="variables-matrix return-arguments">
  <tr>
    <td><a href="" class="label type-hint type-hint-array">Array</a></td>
    <td><p>The currently set whitelist array.</p>
</td>
  </tr>
</table>
    </li>
  
  <li id="resourceUrlBlacklist">
    <h3><p><code>resourceUrlBlacklist([blacklist]);</code></p>

</h3>
    <div><p>Sets/Gets the blacklist of trusted resource URLs.</p>
<p>The <strong>default value</strong> when no whitelist has been explicitly set is the empty array (i.e. there
is no blacklist.)</p>
</div>

    

    
    <h4>Parameters</h4>
    
<table class="variables-matrix input-arguments">
  <thead>
    <tr>
      <th>Param</th>
      <th>Type</th>
      <th>Details</th>
    </tr>
  </thead>
  <tbody>
    
    <tr>
      <td>
        blacklist
        
        <div><em>(optional)</em></div>
      </td>
      <td>
        <a href="" class="label type-hint type-hint-array">Array</a>
      </td>
      <td>
        <p>When provided, replaces the resourceUrlBlacklist with the value
    provided.  This must be an array or null.  A snapshot of this array is used so further
    changes to the array are ignored.</p><p>
    Follow <a href="api/ng/service/$sce#resourceUrlPatternItem">this link</a> for a description of the items
    allowed in this array.</p><p>
    The typical usage for the blacklist is to <strong>block
    <a href="http://cwe.mitre.org/data/definitions/601.html">open redirects</a></strong> served by your domain as
    these would otherwise be trusted but actually return content from the redirected domain.
    </p><p>
    Finally, <strong>the blacklist overrides the whitelist</strong> and has the final say.</p>

        
      </td>
    </tr>
    
  </tbody>
</table>

    

    

    
    <h4>Returns</h4>
    <table class="variables-matrix return-arguments">
  <tr>
    <td><a href="" class="label type-hint type-hint-array">Array</a></td>
    <td><p>The currently set blacklist array.</p>
</td>
  </tr>
</table>
    </li>
  </ul>
  
  



  
</div>


